[90923] in North American Network Operators' Group
RE: key change for TCP-MD5
daemon@ATHENA.MIT.EDU (Randy Bush)
Tue Jun 20 20:20:16 2006
From: Randy Bush <randy@psg.com>
Date: Tue, 20 Jun 2006 17:18:20 -0700
To: Ross Callon <rcallon@juniper.net>
Cc: "Bora Akyol" <bora@broadcom.com>, nanog@merit.edu
Errors-To: owner-nanog@merit.edu
>> The added cost for CPU-bound systems is that they have to try
>> (potentially) multiple keys before getting the **right** key
>> but in real life this can be easily mitigated by having a rating
>> system on the key based on the frequency of success.
>
> This mitigates the effect of authenticating valid packets. However,
> this does not appear to help at all in terms of minimizing the DOS
> effect of an intentional DoS attack that uses authenticated packets
> (with the processing time required to check the keys the intended
> damage of the attack).
gstm
